IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Chinese hackers target ManageEngine password manager

Around nine organizations in the technology, defense, health care, energy, and education industries hit in new campaign

Security researchers have warned of a new Chinese hacking campaign using a known flaw in the Zoho ManageEngine ADSelfService Plus password manager to steal data.

Hackers gained initial access to targeted organizations by exploiting a recently patched vulnerability in Zoho’s ManageEngine product, ADSelfService Plus, tracked in CVE-2021-40539, according to researchers at Palo Alto Network’s Unit 42.

Researchers added this campaign is separate from one described in a US Cybersecurity and Infrastructure Security Agency (CISA) advisory published in September.

The flaw, CVE-2021-40539, allows for REST API authentication bypass with resultant remote code execution in vulnerable devices. The Zoho patched the flaw   in September.

In this campaign, hackers used leased infrastructure in the US to scan hundreds of vulnerable organizations across the internet. Researchers said exploitation attempts began on September 22 and continued into early October. During that window, the actor successfully compromised at least nine global entities in the technology, defense, health care, energy, and education industries.

After the initial exploitation, a payload was uploaded to the victim network which installed a Godzilla webshell. 

“This activity was consistent across all victims; however, we also observed a smaller subset of compromised organizations who subsequently received a modified version of a new backdoor called NGLite,” said researchers.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

Hackers then used either the webshell or the NGLite payload to run commands and move laterally to other systems on the network while they exfiltrated files of interest simply by downloading them from the web server. 

“Once the actors pivoted to a domain controller, they installed a new credential-stealing tool that we track as KdcSponge,” said researchers.

Researchers said Godzilla and NGLite were developed with Chinese instructions and are publicly available for download on GitHub. 

“We believe threat actors deployed these tools in combination as a form of redundancy to maintain access to high-interest networks,” researchers added.

Researchers said the hackers' main goal was to gain persistent access to the network and gather and exfiltrate sensitive documents from the compromised organization.

“The threat actor gathered sensitive files to a staging directory and created password-protected multi-volume RAR archives in the Recycler folder. The actor exfiltrated the files by directly downloading the individual RAR archives from externally facing web servers,” researchers added.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Apple, Google, Microsoft expand their support for password-less sign-ins
cyber security

Apple, Google, Microsoft expand their support for password-less sign-ins

6 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022